So you’re telling me my password is stored in plaintext in your database?
With the recent data breaches, would you believe that password you use for your online account is stored in plaintext (i.e. exactly what you typed)?
What’s the big deal, right?
If you were thinking that when you read the first two sentences, I understand where you are coming from.
Before my career in cybersecurity I was very cyber ignorant, as you might say. I, like many others, would use the same password (or slight variations) for many websites. It was so convenient. It was as if I implemented my own single sign on solution. Little did I know or understand what big hole I was digging.
It was as if I was at the beach with my sand shovel. Building a sandcastle near the tide. When the tide was low, things were great. But the tide eventually rises.
Change those passwords!
Is what I told myself when I started my cybersecurity career… and I did.
Well I did for a majority of the ones I thought were important.
That dusty old website login for something ancient like MySpace
(I threw in that MySpace reference to see if anybody remembered that social networking site.)
I went to a physical branch for a service I used to use and wanted to start it up again. It is a free service so why not. (Do you find it weird I went to a physical branch? Come on! Who does that anymore?) I asked the representative if my account was locked.
Rep: “No sir. Your account is active.”
Me: “But my PIN doesn’t work.”
Rep:“Do you remember your PIN.”
Me: “Put in the PIN I remembered.”
Rep: “Let me jog your memory. It’s A… B…C…”
Me: “Yes! Yes! I know which one it is.” (Yikes! I just used it on another account that is important to me.)
Rep: “1… 2…”
Me: “Yes! Yes!” (panicking) “ I know which one it is! Thank you for your help.”
Rep: “3… Wait. Did you say something?”
Me: “Thank you for your help. I know which PIN it is.”
Rep: “I can reset it for you or keep reading the rest of the password.”
Me: “Thanks again for your help.”
I was shocked the representative was able to see my PIN. (This account has no password. You log in with an account number and a PIN, which makes the PIN as password effectively.) The only protection was the representative asking for my driver license to confirm my identity, and that is only a protection via procedures.
The moral of the story
If you use the same password on many web sites, please stop and make them unique. I recommend a long pass phrase (spaces included):
I sure hope… my PASSPHRASE is not stored in plaintext!
And assume anything you type online will be discovered eventually and you cannot trust the service or product you are using was well designed.
I hope you enjoyed this article and didn’t almost have a heart attack like I did experiencing the scenario I described.
Just to be on the safe side, I changed the passwords/PINs for the two accounts and many others.
Before You Go
Join my mailing list to receive updates about my writing.
About the Author
Miguel is a Principal Security Engineer and is the author of the " Serverless Security " book. He has worked on multiple serverless projects as a developer and security engineer, contributed to open-source serverless projects, and worked on large military systems in various engineering roles.
Originally published on Medium.com